Date: Thu, 18 Jan 2018 17:10:05 +0100
From: Florian Weimer <fweimer@...hat.com>
To: oss-security@...ts.openwall.com
Subject: How to deal with reporters who don't want their bugs fixed?
Subject says it all: What do you do if you receive a vulnerability
report, and the reporter requests an embargo at some time in the future
because that's when their paper/conference presentation/patent
submission is scheduled?
The obvious approach is to find a prior public report of essentially the
same bug and fix that (which will work surprisingly often), but let's
assume that this isn't the case.
Thanks,
Florian